Meltdown and spectre

Kyle Masters

February 8, 2018

Last month, it was announced that the processors that run most
computers and servers were vulnerable to a couple of bugs known as
Meltdown and Spectre. The bug was uncovered by programmers and they
found that the bug affects processors manufactured for at least the last
ten years. It was initially reported that the bug only affected Intel
processors, however it has been acknowledged that Meltdown and Spectre
affect the big three processor families (Intel, AMD, and Arm).

First, let's look at what Meltdown and Spectre do, how it can affect
your dealership, and how Carbase was at the front of the line to protect
your data.

What are Meltdown and Spectre, and what do they do?

Meltdown and Spectre were kept confidential for months to give
software vendors time to release fixes for the issue. The exact issue
exposed by these bugs is related to the way that regular apps and
programs interact with the Central Processing Unit (CPU) via a system
known as the Kernel. Kernels in operating systems (such as Windows or
Linux) have complete control over the entire system. They run the
show. Kernels connect applications (software) to the processor, memory,
and other physical pieces (hardware) of the computer. The flaw that was
discovered initially in Intel processors lets attackers bypass the
kernel access security and protections so that a regular app can read
the contents of the kernel memory. Essentially, it was a portal which
granted access to any data on the system.

This obviously has serious security implications. For example, on
your home PC an attacker could read passwords you enter, data from your
banking websites, etc. That is why the bug was kept confidential until
fixes were in place. Looking into the automotive realm, the bug could
have had serious implications. Service providers host what are called
Virtual Machines to run web servers, databases, and many other business
related processes. Several virtual machines can be run on one physical
server cutting infrastructure costs, which is why all service providers
use them. With Meltdown and Spectre, if an attacker were to utilize the
kernel vulnerability on the virtual machine host (called a hypervisor),
they would then have access to all data stored either on the physical
server, or within any of the virtual machines hosted on that
hypervisor. The attacker would have access to encryption keys, stored
passwords, payment information, and other personally identifiable
information.

How is it fixed?

Now for the good news. There have been no known attacks using the
Meltdown or Spectre bugs. Again, this is why the manufacturers kept it
confidential while patches were worked out. These patches involved a
rewrite of the Windows and Linux kernels in order to lock down the
protected memory. The problem with the fixes is that with any security
that you add, it slows the system down. Users were reporting slowdowns
between 5 and 30 percent.

Thankfully, Carbase runs distributed systems that don't tax our
machines to their 100% capacity. We always make sure that we have
enough overhead for upward growth and issues just like this. Our
systems have been patched, updated, and are unaffected by Meltdown and
Spectre, and there have been no measurable performance implications.
Your data remains safe in the Carbase system and your loading times will
remain consistent with SEO standards.

In summary, if you have services that are not hosted with Carbase,
you should contact your service providers to ensure that they have
patched their production systems to protect your data.